SANS ISC InfoSec Forums

Note that this malware does NOT exploit 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198. It simply uses the autorun.inf to launch the executable, or waits for the user to double click the .LNK file. I wrote up this diary before fellow handler Bojan pointed that out to me.

Aaron wrote in the following:

"We had a user get infected ... The symptoms we saw were as follows:

The virus hides all folders on the root of any drive it has write access to.

It then drops an LNK file named the same as all of the folders. So you have a series of LNK files where your folders used to be. This appears to only happen at the root of the drive(s) the user has write access to.

Then the virus drops an autorun.inf, EXE, and SRC file at the root of the infected drives.

One of the things we did to scan our server shares was to run robocopy in list-only mode. We used a command similar to this:
robocopy servershare c: *.lnk /MAXAGE:2 /L /S /R:3 /W:3 /NDL
It scans for any LNK files created in the past 2 days. The reasoning is that LNK files should not be created very often on shares, so a large number of them would be suspicious."

He also sent us a copy of the files found on the affected system. The virustotal results virustotal.com results yesterday were 11/36 (30.56%).

We saw this last Tuesday at work. Symantec detects it now as W32.Changeup. Appearently it is a new varient because they have know about W32.Changeup for months but they still did not detect it until the newest updates were released that day.